require 'active_record_unit' class ActiveRecordStoreTest < ActionDispatch::IntegrationTest class TestController < ActionController::Base def no_session_access head :ok end def set_session_value raise "missing session!" unless session session[:foo] = params[:foo] || "bar" head :ok end def get_session_value render :text => "foo: #{session[:foo].inspect}" end def get_session_id render :text => "#{request.session_options[:id]}" end def call_reset_session session[:foo] reset_session reset_session if params[:twice] session[:foo] = "baz" head :ok end def renew env["rack.session.options"][:renew] = true session[:foo] = "baz" head :ok end def rescue_action(e) raise end end def setup ActiveRecord::SessionStore.session_class.create_table! end def teardown ActiveRecord::SessionStore.session_class.drop_table! end %w{ session sql_bypass }.each do |class_name| define_method("test_setting_and_getting_session_value_with_#{class_name}_store") do with_store class_name do with_test_route_set do get '/set_session_value' assert_response :success assert cookies['_session_id'] get '/get_session_value' assert_response :success assert_equal 'foo: "bar"', response.body get '/set_session_value', :foo => "baz" assert_response :success assert cookies['_session_id'] get '/get_session_value' assert_response :success assert_equal 'foo: "baz"', response.body get '/call_reset_session' assert_response :success assert_not_equal [], headers['Set-Cookie'] end end end define_method("test_renewing_with_#{class_name}_store") do with_store class_name do with_test_route_set do get '/set_session_value' assert_response :success assert cookies['_session_id'] get '/renew' assert_response :success assert_not_equal [], headers['Set-Cookie'] end end end end def test_getting_nil_session_value with_test_route_set do get '/get_session_value' assert_response :success assert_equal 'foo: nil', response.body end end def test_calling_reset_session_twice_does_not_raise_errors with_test_route_set do get '/call_reset_session', :twice => "true" assert_response :success get '/get_session_value' assert_response :success assert_equal 'foo: "baz"', response.body end end def test_setting_session_value_after_session_reset with_test_route_set do get '/set_session_value' assert_response :success assert cookies['_session_id'] session_id = cookies['_session_id'] get '/call_reset_session' assert_response :success assert_not_equal [], headers['Set-Cookie'] get '/get_session_value' assert_response :success assert_equal 'foo: "baz"', response.body get '/get_session_id' assert_response :success assert_not_equal session_id, response.body end end def test_getting_session_value_after_session_reset with_test_route_set do get '/set_session_value' assert_response :success assert cookies['_session_id'] session_cookie = cookies.send(:hash_for)['_session_id'] get '/call_reset_session' assert_response :success assert_not_equal [], headers['Set-Cookie'] cookies << session_cookie # replace our new session_id with our old, pre-reset session_id get '/get_session_value' assert_response :success assert_equal 'foo: nil', response.body, "data for this session should have been obliterated from the database" end end def test_getting_from_nonexistent_session with_test_route_set do get '/get_session_value' assert_response :success assert_equal 'foo: nil', response.body assert_nil cookies['_session_id'], "should only create session on write, not read" end end def test_getting_session_id with_test_route_set do get '/set_session_value' assert_response :success assert cookies['_session_id'] session_id = cookies['_session_id'] get '/get_session_id' assert_response :success assert_equal session_id, response.body, "should be able to read session id without accessing the session hash" end end def test_doesnt_write_session_cookie_if_session_id_is_already_exists with_test_route_set do get '/set_session_value' assert_response :success assert cookies['_session_id'] get '/get_session_value' assert_response :success assert_equal nil, headers['Set-Cookie'], "should not resend the cookie again if session_id cookie is already exists" end end def test_prevents_session_fixation with_test_route_set do get '/set_session_value' assert_response :success assert cookies['_session_id'] get '/get_session_value' assert_response :success assert_equal 'foo: "bar"', response.body session_id = cookies['_session_id'] assert session_id reset! get '/get_session_value', :_session_id => session_id assert_response :success assert_equal 'foo: nil', response.body assert_not_equal session_id, cookies['_session_id'] end end def test_allows_session_fixation with_test_route_set(:cookie_only => false) do get '/set_session_value' assert_response :success assert cookies['_session_id'] get '/get_session_value' assert_response :success assert_equal 'foo: "bar"', response.body session_id = cookies['_session_id'] assert session_id reset! get '/set_session_value', :_session_id => session_id, :foo => "baz" assert_response :success assert_equal session_id, cookies['_session_id'] get '/get_session_value', :_session_id => session_id assert_response :success assert_equal 'foo: "baz"', response.body assert_equal session_id, cookies['_session_id'] end end private def with_test_route_set(options = {}) with_routing do |set| set.draw do match ':action', :to => 'active_record_store_test/test' end @app = self.class.build_app(set) do |middleware| middleware.use ActiveRecord::SessionStore, options.reverse_merge(:key => '_session_id') middleware.delete "ActionDispatch::ShowExceptions" end yield end end def with_store(class_name) session_class, ActiveRecord::SessionStore.session_class = ActiveRecord::SessionStore.session_class, "ActiveRecord::SessionStore::#{class_name.camelize}".constantize yield ActiveRecord::SessionStore.session_class = session_class end end